def test_graph_ownership(self):
owner = get_signed_in_user(self)
if not owner:
return # this test delete users which are beyond a SP's capacity, so quit...
self.kwargs = {'owner': owner}
self.recording_processors.append(
AADGraphUserReplacer(owner, '*****@*****.**'))
try:
self.kwargs['owner_object_id'] = self.cmd(
'ad user show --upn-or-object-id {owner}').get_output_in_json(
)['objectId']
self.kwargs['app_id'] = self.cmd(
'ad sp create-for-rbac --skip-assignment').get_output_in_json(
)['appId']
self.cmd(
'ad app owner add --owner-object-id {owner_object_id} --id {app_id}'
)
self.cmd('ad app owner list --id {app_id}',
checks=self.check('[0].userPrincipalName', owner))
self.cmd(
'ad app owner remove --owner-object-id {owner_object_id} --id {app_id}'
)
self.cmd('ad app owner list --id {app_id}',
checks=self.check('length([*])', 0))
finally:
if self.kwargs['app_id']:
self.cmd('ad sp delete --id {app_id}')
def test_graph_group_ownership(self):
owner = get_signed_in_user(self)
if not owner:
return # this test delete users which are beyond a SP's capacity, so quit...
self.kwargs = {
'owner': owner,
'group': self.create_random_name('cli-grp', 15),
}
self.recording_processors.append(
AADGraphUserReplacer(owner, '*****@*****.**'))
try:
self.kwargs['owner_object_id'] = self.cmd(
'ad user show --upn-or-object-id {owner}').get_output_in_json(
)['objectId']
self.kwargs['group_object_id'] = self.cmd(
'ad group create --display-name {group} --mail-nickname {group}'
).get_output_in_json()['objectId']
self.cmd(
'ad group owner add -g {group_object_id} --owner-object-id {owner_object_id}'
)
self.cmd(
'ad group owner add -g {group_object_id} --owner-object-id {owner_object_id}'
)
self.cmd('ad group owner list -g {group_object_id}',
checks=self.check('length([*])', 1))
finally:
if self.kwargs['group_object_id']:
self.cmd('ad group delete -g ' +
self.kwargs['group_object_id'])
def test_graph_ownership(self):
playback = not (self.is_live or self.in_recording)
if playback:
owner = MOCKED_USER_NAME
else:
account_info = self.cmd('account show').get_output_in_json()
if account_info['user']['type'] == 'servicePrincipal':
return # this test delete users which are beyond a SP's capacity, so quit...
owner = account_info['user']['name']
self.kwargs = {'owner': owner}
self.recording_processors.append(
AADGraphUserReplacer(owner, '*****@*****.**'))
try:
self.kwargs['owner_object_id'] = self.cmd(
'ad user show --upn-or-object-id {owner}').get_output_in_json(
)['objectId']
self.kwargs['app_id'] = self.cmd(
'ad sp create-for-rbac --skip-assignment').get_output_in_json(
)['appId']
self.cmd(
'ad app owner add --owner-object-id {owner_object_id} --id {app_id}'
)
self.cmd('ad app owner list --id {app_id}',
checks=self.check('[0].userPrincipalName', owner))
self.cmd(
'ad app owner remove --owner-object-id {owner_object_id} --id {app_id}'
)
self.cmd('ad app owner list --id {app_id}',
checks=self.check('length([*])', 0))
finally:
if self.kwargs['app_id']:
self.cmd('ad sp delete --id {app_id}')
def test_graph_group_scenario(self):
account_info = self.cmd('account show').get_output_in_json()
if account_info['user']['type'] == 'servicePrincipal':
return # this test delete users which are beyond a SP's capacity, so quit...
upn = account_info['user']['name']
domain = upn.split('@', 1)[1]
self.kwargs = {
'user1': 'deleteme1',
'user2': 'deleteme2',
'domain': domain,
'new_mail_nick_name': 'deleteme11',
'group': 'deleteme_g',
'pass': '******'
}
self.recording_processors.append(
AADGraphUserReplacer('@' + domain, '@example.com'))
try:
# create user1
user1_result = self.cmd(
'ad user create --display-name {user1} --password {pass} --user-principal-name {user1}@{domain}'
).get_output_in_json()
self.kwargs['user1_id'] = user1_result['objectId']
# update user1
self.cmd(
'ad user update --display-name {user1}_new --account-enabled false --id {user1}@{domain} --mail-nickname {new_mail_nick_name}'
)
user1_update_result = self.cmd(
'ad user show --upn-or-object-id {user1}@{domain}',
checks=[
self.check("displayName", '{user1}_new'),
self.check("accountEnabled", False)
]).get_output_in_json()
self.cmd('ad user update --id {user1}@{domain} --password {pass}')
self.cmd(
'ad user update --id {user1}@{domain} --password {pass} --force-change-password-next-login true'
)
with self.assertRaises(CLIError):
self.cmd(
'ad user update --id {user1}@{domain} --force-change-password-next-login false'
)
self.kwargs['user1_id'] = user1_update_result['objectId']
# create user2
user2_result = self.cmd(
'ad user create --display-name {user2} --password {pass} --user-principal-name {user2}@{domain}'
).get_output_in_json()
self.kwargs['user2_id'] = user2_result['objectId']
# create group
group_result = self.cmd(
'ad group create --display-name {group} --mail-nickname {group}'
).get_output_in_json()
self.kwargs['group_id'] = group_result['objectId']
# add user1 into group
self.cmd('ad group member add -g {group} --member-id {user1_id}',
checks=self.is_empty())
# add user2 into group
self.cmd('ad group member add -g {group} --member-id {user2_id}',
checks=self.is_empty())
# show user's group memberships
self.cmd('ad user get-member-groups --upn-or-object-id {user1_id}',
checks=self.check('[0].displayName',
self.kwargs['group']))
# show group
self.cmd('ad group show -g {group}',
checks=[
self.check('objectId', '{group_id}'),
self.check('displayName', '{group}')
])
self.cmd('ad group show -g {group}',
checks=self.check('displayName', '{group}'))
# list group
self.cmd('ad group list --display-name {group}',
checks=self.check('[0].displayName', '{group}'))
# show member groups
self.cmd('ad group get-member-groups -g {group}',
checks=self.check('length([])', 0))
# check user1 memebership
self.cmd('ad group member check -g {group} --member-id {user1_id}',
checks=self.check('value', True))
# check user2 memebership
self.cmd('ad group member check -g {group} --member-id {user2_id}',
checks=self.check('value', True))
self.cmd('ad group member list -g {group}',
checks=[
self.check("length([?displayName=='{user1}_new'])",
1),
self.check("length([?displayName=='{user2}'])", 1),
self.check("length([?displayName=='{user1}'])", 0),
self.check("length([])", 2),
])
# remove user1
self.cmd(
'ad group member remove -g {group} --member-id {user1_id}')
# check user1 memebership
self.cmd('ad group member check -g {group} --member-id {user1_id}',
checks=self.check('value', False))
# delete the group
self.cmd('ad group delete -g {group}')
self.cmd('ad group list',
checks=self.check("length([?displayName=='{group}'])", 0))
finally:
try:
self.cmd('ad user delete --upn-or-object-id {user1_id}')
self.cmd('ad user delete --upn-or-object-id {user2_id}')
self.cmd('ad group delete -g {group}')
except Exception:
pass
